1e0ae35e77deadaabb31b061bd37c6fe3a463e7c63085da5724c0d37a25a3296

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Size

372KB
MD5

13ad5d0cb2b321ac7cbda3c6ffe5cda3
SHA1

2db7dbc546ab603a6736cd4f178d93267fef640a
SHA256

1e0ae35e77deadaabb31b061bd37c6fe3a463e7c63085da5724c0d37a25a3296
SHA512

d2996220daef189907cd017518655f8d267c830726103502ed2d70a0936cb9b9edbcdf7bb6a6284ed57272fe47af8bc547aeccdeca6fce29819a41c72678684b
SSDEEP

3072:CEGh0oAmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGnl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}\stubpath = "C:\\Windows\\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe"	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}\stubpath = "C:\\Windows\\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe"	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C50190C-6D34-4723-937B-47EC3EEC1B47}\stubpath = "C:\\Windows\\{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe"	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A616FFF6-C841-4697-906B-2F811214976E}	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC760150-BCFE-488a-BF6A-0367C73D7C0D}\stubpath = "C:\\Windows\\{AC760150-BCFE-488a-BF6A-0367C73D7C0D}.exe"	{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A304159-24EC-44dd-A60D-B5F4E55946E9}	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A304159-24EC-44dd-A60D-B5F4E55946E9}\stubpath = "C:\\Windows\\{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe"	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}\stubpath = "C:\\Windows\\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe"	{A616FFF6-C841-4697-906B-2F811214976E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}\stubpath = "C:\\Windows\\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe"	{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}\stubpath = "C:\\Windows\\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe"	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}\stubpath = "C:\\Windows\\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe"	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C50190C-6D34-4723-937B-47EC3EEC1B47}	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}\stubpath = "C:\\Windows\\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe"	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A616FFF6-C841-4697-906B-2F811214976E}\stubpath = "C:\\Windows\\{A616FFF6-C841-4697-906B-2F811214976E}.exe"	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC760150-BCFE-488a-BF6A-0367C73D7C0D}	{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}	{A616FFF6-C841-4697-906B-2F811214976E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}	{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe
2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe
2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe
2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe
2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe
268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe
1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe
1560	{A616FFF6-C841-4697-906B-2F811214976E}.exe
3016	{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe
2888	{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe
1736	{AC760150-BCFE-488a-BF6A-0367C73D7C0D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
File created	C:\Windows\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe
File created	C:\Windows\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe
File created	C:\Windows\{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe
File created	C:\Windows\{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe
File created	C:\Windows\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe	{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe
File created	C:\Windows\{AC760150-BCFE-488a-BF6A-0367C73D7C0D}.exe	{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe
File created	C:\Windows\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe
File created	C:\Windows\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe
File created	C:\Windows\{A616FFF6-C841-4697-906B-2F811214976E}.exe	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe
File created	C:\Windows\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe	{A616FFF6-C841-4697-906B-2F811214976E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe
Token: SeIncBasePriorityPrivilege	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe
Token: SeIncBasePriorityPrivilege	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe
Token: SeIncBasePriorityPrivilege	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe
Token: SeIncBasePriorityPrivilege	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe
Token: SeIncBasePriorityPrivilege	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe
Token: SeIncBasePriorityPrivilege	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe
Token: SeIncBasePriorityPrivilege	1560	{A616FFF6-C841-4697-906B-2F811214976E}.exe
Token: SeIncBasePriorityPrivilege	3016	{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe
Token: SeIncBasePriorityPrivilege	2888	{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2144	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	28
PID 2964 wrote to memory of 2144	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	28
PID 2964 wrote to memory of 2144	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	28
PID 2964 wrote to memory of 2144	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	28
PID 2964 wrote to memory of 2812	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	29
PID 2964 wrote to memory of 2812	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	29
PID 2964 wrote to memory of 2812	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	29
PID 2964 wrote to memory of 2812	2964	13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe	29
PID 2144 wrote to memory of 2828	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	32
PID 2144 wrote to memory of 2828	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	32
PID 2144 wrote to memory of 2828	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	32
PID 2144 wrote to memory of 2828	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	32
PID 2144 wrote to memory of 3012	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	33
PID 2144 wrote to memory of 3012	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	33
PID 2144 wrote to memory of 3012	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	33
PID 2144 wrote to memory of 3012	2144	{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe	33
PID 2828 wrote to memory of 2416	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	34
PID 2828 wrote to memory of 2416	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	34
PID 2828 wrote to memory of 2416	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	34
PID 2828 wrote to memory of 2416	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	34
PID 2828 wrote to memory of 2948	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	35
PID 2828 wrote to memory of 2948	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	35
PID 2828 wrote to memory of 2948	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	35
PID 2828 wrote to memory of 2948	2828	{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe	35
PID 2416 wrote to memory of 2660	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	36
PID 2416 wrote to memory of 2660	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	36
PID 2416 wrote to memory of 2660	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	36
PID 2416 wrote to memory of 2660	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	36
PID 2416 wrote to memory of 2716	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	37
PID 2416 wrote to memory of 2716	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	37
PID 2416 wrote to memory of 2716	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	37
PID 2416 wrote to memory of 2716	2416	{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe	37
PID 2660 wrote to memory of 2360	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	38
PID 2660 wrote to memory of 2360	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	38
PID 2660 wrote to memory of 2360	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	38
PID 2660 wrote to memory of 2360	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	38
PID 2660 wrote to memory of 2508	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	39
PID 2660 wrote to memory of 2508	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	39
PID 2660 wrote to memory of 2508	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	39
PID 2660 wrote to memory of 2508	2660	{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe	39
PID 2360 wrote to memory of 268	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	40
PID 2360 wrote to memory of 268	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	40
PID 2360 wrote to memory of 268	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	40
PID 2360 wrote to memory of 268	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	40
PID 2360 wrote to memory of 1288	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	41
PID 2360 wrote to memory of 1288	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	41
PID 2360 wrote to memory of 1288	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	41
PID 2360 wrote to memory of 1288	2360	{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe	41
PID 268 wrote to memory of 1004	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	42
PID 268 wrote to memory of 1004	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	42
PID 268 wrote to memory of 1004	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	42
PID 268 wrote to memory of 1004	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	42
PID 268 wrote to memory of 1072	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	43
PID 268 wrote to memory of 1072	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	43
PID 268 wrote to memory of 1072	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	43
PID 268 wrote to memory of 1072	268	{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe	43
PID 1004 wrote to memory of 1560	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	44
PID 1004 wrote to memory of 1560	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	44
PID 1004 wrote to memory of 1560	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	44
PID 1004 wrote to memory of 1560	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	44
PID 1004 wrote to memory of 976	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	45
PID 1004 wrote to memory of 976	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	45
PID 1004 wrote to memory of 976	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	45
PID 1004 wrote to memory of 976	1004	{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe	45

C:\Users\Admin\AppData\Local\Temp\13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\13ad5d0cb2b321ac7cbda3c6ffe5cda3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe
  C:\Windows\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe
    C:\Windows\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe
      C:\Windows\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe
        
        C:\Windows\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe
        
        C:\Windows\{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe
        
        C:\Windows\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe
        
        C:\Windows\{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\{A616FFF6-C841-4697-906B-2F811214976E}.exe
        
        C:\Windows\{A616FFF6-C841-4697-906B-2F811214976E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe
        
        C:\Windows\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe
        
        C:\Windows\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{AC760150-BCFE-488a-BF6A-0367C73D7C0D}.exe
        
        C:\Windows\{AC760150-BCFE-488a-BF6A-0367C73D7C0D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9E09~1.EXE > nul
        12⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B541~1.EXE > nul
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A616F~1.EXE > nul
        10⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A304~1.EXE > nul
        9⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1B3A~1.EXE > nul
        8⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C501~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C63C~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AEA5~1.EXE > nul
        5⤵
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B5FB~1.EXE > nul
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E4CB~1.EXE > nul
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\13AD5D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe

Filesize
372KB

MD5
24eff48186bef7ad6a6f4ca754c121c7

SHA1
738c81b09b25225e38a7ebbf456d1d310bd1adfc

SHA256
a6bf43f4ecb1dcd873aa36278182f25edc9bffd77d87375fdf893cdcc355c017

SHA512
13914beee05a65bef160a48e66734cb803f19ccf79cd3b9c2db86e8495967010722c53b1e82840e16a597fd413235b19322f0d1bb3e83789dd1eb33dd96c1120

Download Submit
C:\Windows\{0AEA5A48-7260-4d37-8C4E-3D8B89F63B87}.exe

Filesize
372KB

MD5
24eff48186bef7ad6a6f4ca754c121c7

SHA1
738c81b09b25225e38a7ebbf456d1d310bd1adfc

SHA256
a6bf43f4ecb1dcd873aa36278182f25edc9bffd77d87375fdf893cdcc355c017

SHA512
13914beee05a65bef160a48e66734cb803f19ccf79cd3b9c2db86e8495967010722c53b1e82840e16a597fd413235b19322f0d1bb3e83789dd1eb33dd96c1120

Download Submit
C:\Windows\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe

Filesize
372KB

MD5
bf7c2a12f7d55638e9b06ef798f2ef66

SHA1
a59a0aa74c2fab0e53c6abb6d52c0ef524dd1a1a

SHA256
9e459d3111f4e666b7d9f3dd12a4a94fef3de4a13882c4cbde5d2d5847d491b9

SHA512
645717fe7cf6eaf52113dac7f33d746bae87da7be63cf5175d82de06508d094404ee55af67de1e0069422704a6ef4e344d0e520348752db2b2d4fca003395260

Download Submit
C:\Windows\{1B541F34-39A2-4c35-A6AE-533EDD992BE2}.exe

Filesize
372KB

MD5
bf7c2a12f7d55638e9b06ef798f2ef66

SHA1
a59a0aa74c2fab0e53c6abb6d52c0ef524dd1a1a

SHA256
9e459d3111f4e666b7d9f3dd12a4a94fef3de4a13882c4cbde5d2d5847d491b9

SHA512
645717fe7cf6eaf52113dac7f33d746bae87da7be63cf5175d82de06508d094404ee55af67de1e0069422704a6ef4e344d0e520348752db2b2d4fca003395260

Download Submit
C:\Windows\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe

Filesize
372KB

MD5
cc529577b6182e2af9254174cf236cf4

SHA1
23c0c1331937e20952933c195fe5a703feced6b9

SHA256
6903e90f3ea15ce00d84041ebfbd726a3038cda12b6b1dfe4d3b483e186375f8

SHA512
f72c0c58fc33794bb100eb930b4d0228db824c81f5ef807ec012365d48259667157303d651823813285494a5471ee1fe8acb55ee8c3c5dd28823a39166d0194b

Download Submit
C:\Windows\{1B5FB26C-CFEC-49ae-9A3A-AA552D33D5A7}.exe

Filesize
372KB

MD5
cc529577b6182e2af9254174cf236cf4

SHA1
23c0c1331937e20952933c195fe5a703feced6b9

SHA256
6903e90f3ea15ce00d84041ebfbd726a3038cda12b6b1dfe4d3b483e186375f8

SHA512
f72c0c58fc33794bb100eb930b4d0228db824c81f5ef807ec012365d48259667157303d651823813285494a5471ee1fe8acb55ee8c3c5dd28823a39166d0194b

Download Submit
C:\Windows\{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe

Filesize
372KB

MD5
8f18c5e3c09303a61d6475a11e18852b

SHA1
5f8a0c536cc213dcb9b77ead59345dc50f7b4f04

SHA256
2e9fe480890f41231eb07d2810411644db57d2cf6a715a43723222253419908f

SHA512
8d34f106343c42e32971aefcec9c80597be2414440220d42954ef92e761119890260276f352a6f8cb76b863d21207912cc19536a62c3cb752ef96c0c1bd5ddd7

Download Submit
C:\Windows\{2A304159-24EC-44dd-A60D-B5F4E55946E9}.exe

Filesize
372KB

MD5
8f18c5e3c09303a61d6475a11e18852b

SHA1
5f8a0c536cc213dcb9b77ead59345dc50f7b4f04

SHA256
2e9fe480890f41231eb07d2810411644db57d2cf6a715a43723222253419908f

SHA512
8d34f106343c42e32971aefcec9c80597be2414440220d42954ef92e761119890260276f352a6f8cb76b863d21207912cc19536a62c3cb752ef96c0c1bd5ddd7

Download Submit
C:\Windows\{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe

Filesize
372KB

MD5
0e46b936509dd8d05aee48473d3f53f0

SHA1
32b83a6abfb3b25452d280f7bedd3870abd7f3c6

SHA256
0a10129628436528b1f0fb47811f9090f669137ac395d21fe3fd570668e74263

SHA512
17ac6819baa5e3759e59d03abbf423003870820b8d7c737b93ef2747480469292c625a586e1e5fa226862b57d90a1c2137a7dc483756bd20fb3e029d747aa5a4

Download Submit
C:\Windows\{4C50190C-6D34-4723-937B-47EC3EEC1B47}.exe

Filesize
372KB

MD5
0e46b936509dd8d05aee48473d3f53f0

SHA1
32b83a6abfb3b25452d280f7bedd3870abd7f3c6

SHA256
0a10129628436528b1f0fb47811f9090f669137ac395d21fe3fd570668e74263

SHA512
17ac6819baa5e3759e59d03abbf423003870820b8d7c737b93ef2747480469292c625a586e1e5fa226862b57d90a1c2137a7dc483756bd20fb3e029d747aa5a4

Download Submit
C:\Windows\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe

Filesize
372KB

MD5
fc97bdb3c2f14a74d22ecd66f66da5f8

SHA1
3b060d28e3c17793cc4a37fc2939b6790bef35ac

SHA256
08fe06df95da2e0c257f40b9be8f7d53792a57f22ead982c20c3067102ccf14e

SHA512
0e4a40866037ad60058fc460cf132b1a5498680585be5c7139b700055c5b6593c0c9439e55b626937763424e041e8adcae1e4dddce414bb917cf8ea0e02ba8ae

Download Submit
C:\Windows\{4C63C6FC-2788-47ee-911C-D60ED5F8C5DE}.exe

Filesize
372KB

MD5
fc97bdb3c2f14a74d22ecd66f66da5f8

SHA1
3b060d28e3c17793cc4a37fc2939b6790bef35ac

SHA256
08fe06df95da2e0c257f40b9be8f7d53792a57f22ead982c20c3067102ccf14e

SHA512
0e4a40866037ad60058fc460cf132b1a5498680585be5c7139b700055c5b6593c0c9439e55b626937763424e041e8adcae1e4dddce414bb917cf8ea0e02ba8ae

Download Submit
C:\Windows\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe

Filesize
372KB

MD5
a175a5904bbc7679f6afab3c34fa8bf2

SHA1
103e44253fd036aa5bad0e7e99df4efd217e7eee

SHA256
a6d69e026a3298efa6b4dc10cae57c6bad1116e6cc1b5ec7fd95c00faf22de8a

SHA512
0777e833f34a7dc118385d6a13ec1e4c531a85a8db3c1f6ab11f7d5e20f8a7065d3beef0be7083a0cee8b22024d16d752446134b464cb2d2c59f7eb6d8f88785

Download Submit
C:\Windows\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe

Filesize
372KB

MD5
a175a5904bbc7679f6afab3c34fa8bf2

SHA1
103e44253fd036aa5bad0e7e99df4efd217e7eee

SHA256
a6d69e026a3298efa6b4dc10cae57c6bad1116e6cc1b5ec7fd95c00faf22de8a

SHA512
0777e833f34a7dc118385d6a13ec1e4c531a85a8db3c1f6ab11f7d5e20f8a7065d3beef0be7083a0cee8b22024d16d752446134b464cb2d2c59f7eb6d8f88785

Download Submit
C:\Windows\{6E4CB87C-7148-4cb7-8204-2B2007F9B2E7}.exe

Filesize
372KB

MD5
a175a5904bbc7679f6afab3c34fa8bf2

SHA1
103e44253fd036aa5bad0e7e99df4efd217e7eee

SHA256
a6d69e026a3298efa6b4dc10cae57c6bad1116e6cc1b5ec7fd95c00faf22de8a

SHA512
0777e833f34a7dc118385d6a13ec1e4c531a85a8db3c1f6ab11f7d5e20f8a7065d3beef0be7083a0cee8b22024d16d752446134b464cb2d2c59f7eb6d8f88785

Download Submit
C:\Windows\{A616FFF6-C841-4697-906B-2F811214976E}.exe

Filesize
372KB

MD5
464ee117bf556710029cfbecef2c49b1

SHA1
768f2e47d623ac97960252de55c9d9a2d106878b

SHA256
44e429438c52a909dce374a04fc53f580b325250a0933d4748b686476d6f58b9

SHA512
791191953137552e5a464da232fed0b00dbd6a14b6ab87825f67f54ae56214d39b0af1b8b0d9d7544e4154d99832aba42b29d1a27ef8a3ea8da0cdd2725d8e2c

Download Submit
C:\Windows\{A616FFF6-C841-4697-906B-2F811214976E}.exe

Filesize
372KB

MD5
464ee117bf556710029cfbecef2c49b1

SHA1
768f2e47d623ac97960252de55c9d9a2d106878b

SHA256
44e429438c52a909dce374a04fc53f580b325250a0933d4748b686476d6f58b9

SHA512
791191953137552e5a464da232fed0b00dbd6a14b6ab87825f67f54ae56214d39b0af1b8b0d9d7544e4154d99832aba42b29d1a27ef8a3ea8da0cdd2725d8e2c

Download Submit
C:\Windows\{AC760150-BCFE-488a-BF6A-0367C73D7C0D}.exe

Filesize
372KB

MD5
001df9a57a3c124565fea94e3260131d

SHA1
8fcdeb0acd5f3166da27502b32b54e6e6a4c8b59

SHA256
2efcc5f66815252a4fb47ef1455b7e731e4c0bab7644a62966ea0892633b4e81

SHA512
4dc938c2d710efa11cc32097cc426c89b40dfbde2af739b20c87744bca2f5cfbb90d03afe6fe699915381a8143022690889e7d7f3bbc88fcb55a4515a6a887d6

Download Submit
C:\Windows\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe

Filesize
372KB

MD5
d98183b92196c998fd7bf91bdc63dacd

SHA1
4b9450201231769fc40a04e83d3d5bac6a5d2428

SHA256
f6dc5df44c393f8b5cf132bb4d1063c5c9bdbb1241313cfb8eaa44ecd630cd33

SHA512
ac860b80e2c8ec1d1d09df55bd6a2cd5bb2bddadab2a6ce6785140387e01efe626238784ac1ded2f0bfcffb245dab5f7bba9b51fdbdbf5cc347ab92b835ed548

Download Submit
C:\Windows\{B9E09BCE-0491-4ade-A649-E39A5EDCF690}.exe

Filesize
372KB

MD5
d98183b92196c998fd7bf91bdc63dacd

SHA1
4b9450201231769fc40a04e83d3d5bac6a5d2428

SHA256
f6dc5df44c393f8b5cf132bb4d1063c5c9bdbb1241313cfb8eaa44ecd630cd33

SHA512
ac860b80e2c8ec1d1d09df55bd6a2cd5bb2bddadab2a6ce6785140387e01efe626238784ac1ded2f0bfcffb245dab5f7bba9b51fdbdbf5cc347ab92b835ed548

Download Submit
C:\Windows\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe

Filesize
372KB

MD5
82fe833e1ad2c85d1b7a3ab3a3591ef9

SHA1
5f4a90e385a25fb6f7a421fb41516089a4e97c16

SHA256
071a2ef3cf4417e7700fca665782965970f12268ac2b55dd1938ffb9f7f752f0

SHA512
b51c50a36664aa04bcd7c9db9f1ed35b04bc7ebacfb079cf3f2196d9f54ae1b1a224b914e32c09d0881a08fccab953a7225db1094600d1fd3f61f13474278039

Download Submit
C:\Windows\{E1B3A8C0-F615-4611-8CA8-BFB14F5EA996}.exe

Filesize
372KB

MD5
82fe833e1ad2c85d1b7a3ab3a3591ef9

SHA1
5f4a90e385a25fb6f7a421fb41516089a4e97c16

SHA256
071a2ef3cf4417e7700fca665782965970f12268ac2b55dd1938ffb9f7f752f0

SHA512
b51c50a36664aa04bcd7c9db9f1ed35b04bc7ebacfb079cf3f2196d9f54ae1b1a224b914e32c09d0881a08fccab953a7225db1094600d1fd3f61f13474278039

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads